Research Interests

In the past ten years, the Internet has evolved in terms
of both the type of services and applications being deployed
and the kind of malicious activity being carried out. Web
applications have become tremendously popular, and, nowadays,
they are routinely used in security-critical environments,
such as medical, financial, and military systems. As the use
of web applications for critical services has increased, the
number and sophistication of attacks against these
applications have grown as well. In addition, the hosts that
are compromised by means of vulnerable web applications often
become part of large-scale botnets and are used to spread
malware (e.g., through drive-by downloads) or to host scam
and phishing sites, as black-hat hackers move from
"hacking-for-fun to" to "hacking-for-profit."

My research focuses on a number of different topics: how
to protect web applications (by finding vulnerabilities
before they are deployed and also by detecting web-based
attacks), how to detect and block malicious software, and how
to develop, test, and evaluate intrusion detection
systems.

In addition, my expertise in vulnerability analysis and
penetration testing got me involved in two large-scale
efforts to evaluate the security of the voting systems in use
in California and Ohio.

Below, a description of the current active projects is
included.

Projects

Malware Analysis

Wepawet: Detection of Web-based Malware

Wepawet combines
anomaly detection with emulation to automatically identify
malicious JavaScript code and support its analysis. Wepawet
uses a number of features and machine-learning techniques to
establish the characteristics of normal JavaScript code.
Then, during detection, the Wepawet is able to identify
anomalous JavaScript code by emulating its behavior and
comparing it to the established profiles. In addition to
identifying malicious code, the system is able to support the
analysis of obfuscated code and generate detection signatures
for signature-based systems. The Wepawet system has recently
been extended to analyze also Flash files.

Botnet Analysis

We developed an approach that aims to detect bot-infected
hosts, which is independent on the underlying botnet
structure, is able to detect individually infected hosts,
deals with encrypted communication, does not rely on the
presence of noisy malicious activities and can thus detect
legitimate-resembling communication patterns, and has a low
false positive rate.

Our approach applies clustering techniques on the network
flows generated by bot samples to identify periodic
behaviors. Our analysis automatically produces a network
behavior model of the bot that is deployed on a Bro NIDS
sensor, and can operate on real-world networks in
real-time.

Web Vulnerability Analysis

WALER: Detection of Logic Vulnerabilities in Web
Applications

WALER is a tool to identify application logic
vulnerabilities in web applications. These vulnerabilities
are specific to the functionality of particular programs, and
thus, they are difficult to characterize and identify. WALER
infers specifications that capture the intended logic of the
program. Then, it performs program analysis to identify code
paths that likely violate these specifications, and, thus,
indicate the presence of application logic flaws.

MiMoSa: Identification of Multi-step Attacks in Web
Applications

MiMoSa is a vulnerability analysis tool for web
applications. MiMoSa characterizes both the extended
state and the intended workflow of a web
application. By doing this, our analysis is able to take into
account inter-module relationships as well as the interaction
of an application's modules with back-end databases. As a
result, it is possible to identify sophisticated multi-step
attacks against the application's workflow.

Saner: Analysis of Sanitization Procedures in Web
Applications

Saner is a novel approach to the analysis of the
sanitization process. Most research on vulnerability analysis
has focused on identifying cases in which a web application
directly uses external unsanitized input in critical
operations. However, little research has been performed to
analyze the correctness of the sanitization process
itself.

Saner is a tool that combines static and dynamic analysis
techniques to identify faulty custom sanitization procedures
that can be bypassed by an attacker.

Detection of Web-based Attacks

WebAnomaly

WebAnomaly
is an anomaly-based web application firewall. WebAnomaly uses
a number of different statistical models to characterize the
normal usage patterns associated with a web application.

More precisely, in a first phase, the models' parameters
are learned by observing the users' interactions with the
monitored web applications. Then, in a second phase, the
models are used to detect anomalous requests. By using
machine-learning and anomaly detection techniques WebAnomaly
does not need to rely on signature and can detect previously
unseen attacks against custom applications.

Swaddler: Anomaly-based Detection of Web State
Violations

Swaddler is an approach that characterizes the internal
state of an application and learn its relationships with
critical points in the application's execution. More
precisely, the internal state of the application is monitored
during a learning phase. During this phase, the approach
derives the profiles that describe the normal values for the
application's state variables at specific points in the
application's lifetime. Then, during the detection phase, the
application's execution is monitored to identify anomalous
states.

Students

For a list of current and past students please check out the
"People" page of the Seclab site.